What are the Information Security Management Principles?

Whilst preparing ISO 27001:2013 Information Security Management Systems – Requirements standard the ISO committee established a number of ‘Information Security Management Principles’ which were considered to be critical in establishing an effective information security management system, these were intended to be used in conjunction with ISO 27001. These principles are outlined in ISO 27000.

The nine information security principles are:

  1. Awareness of need for Information Security
  2. Assigned responsibility
  3. management commitment and stakeholder interests
  4.  Enhancing societal values
  5. risk assessment to determine acceptable levels of risk from appropriate controls
  6. Information networks and systems essential security elements incorporated
  7. Incident prevention and detection
  8. Comprehensive approach to ISMS management
  9. Continual reassessment of ISMS and making appropriate modification